1. Summary

2. Relevant Products

VMware AirWatch Console (AWC)

VMware AirWatch Launcher for Android (AWL)

3. Problem Description

a. VMware AirWatch Console stored XSS vulnerability

VMware AirWatch Console contains a vulnerability that could allow an authenticated AWC user to add a malicious URL to an enrolled device’s ‘Links’ page. Successful exploitation of this issue could result in an unsuspecting AWC user being redirected to a malicious URL.

VMware would like to thank Nicodemo Gawronski for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4930 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product

Product Version

Running on

Severity

Replace with/ Apply Patch

Workaround

VMware Product
Airwatch Console

Product Version
9.x

Running on
Any

Severity
Moderate

Replace with/ Apply Patch
9.2.0+

Workaround
None

b. VMware AirWatch Console CSV file integrity vulnerability

VMware AirWatch Console contains a vulnerability that could allow an authenticated AWC user to add malicious data to an enrolled device’s log files. Successful exploitation of this issue could result in an unsuspecting AWC user opening a CSV file which contains malicious content.

VMware would like to thank Nicodemo Gawronski for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4931 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product

Product Version

Running on

Severity

Replace with/ Apply Patch

Workaround

VMware Product
Airwatch Console

Product Version
9.x

Running on
Any

Severity
Moderate

Replace with/ Apply Patch
9.2.0+

Workaround
None

c. VMware AirWatch Launcher for Android UI privilege escalation

VMware AirWatch Launcher for Android contains a vulnerability that could allow an escalation of privilege from the launcher UI context menu to native UI functionality and privilege. Successful exploitation of this issue could result in an escalation of privilege.

VMware would like to thank Igor Shmakov for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4932 to these issues.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product

Product Version

Running on

Severity

Replace with/ Apply Patch

Workaround

VMware Product
Airwatch Launcher for Android

Product Version
x.x

Running on
Android

Severity
Important

Replace with/ Apply Patch
3.2.2

Workaround
None

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.